LDAP or PAM pass-through authentication with Hive or Impala and Impersonation

LDAP or PAM pass-through authentication with Hive or Impala and Impersonation

Hue is a server between users logged in their browsers and the respective Hadoop services. Consequently, Hue is seen as a single ‘hue’ user by the other servers.

Impersonation is used in order to still apply the permissions of the real logged-in user. For example when a user ‘bob’ submits a query, Hue also sends the username of this user and HiveServer2 will use ‘bob’ and not ‘hue’ as the owner of the query.

hue-auth-client

Hue supports multiple way to authenticate with the other servers: Kerberos and LDAP are common, as well as PAM.

In the next version of Hue, it is now possible to differentiate which authentication to use for either Hive or Impala (it used to be a unique common configuration). This for example let you configure Hue to use LDAP to talk to HiveServer2 and Kerberos for Impala.

usernames and passwords to use for LDAP, PAM are configurable in the main configuration section ([desktop]) and can be overridden in each respective apps.

In order to provide better security, it is also now possible to provide a path to a file that contains the password to use (instead of putting it in plain in the hue.ini). If the plain password is not set, the file will be used.

For example, here is how to configure a ‘hue’ user and password in a file for all the apps

[desktop]
auth_username=hue    
# auth_password=
auth_password_script=/path/to/ldap_password

If Hue needs to authenticate to HiveServer2 with some different username and password:

[beeswax]
auth_username=hue_hive
auth_password=hue_hive_pwd
# auth_password_script=

If Impala is not using LDAP authentication but Hive does, we disable it in [desktop] and do not specify anything in [impala]:

[desktop]
auth_username=hue    
# auth_password=
# auth_password_script=

[beeswax]
auth_username=hue_hive
auth_password=hue_hive_pwd

[impala]
# auth_username=
# auth_password=hue_impala
# auth_password_script=/

Note
Not setting any password will make the LDAP/PAM authentication inactive.

Note
SSL encryption between Hue and the other Hadoop services is also supported

Note

In CM’s “HiveServer2 Advanced Configuration Snippet (Safety Valve) for hive-site.xml” to add the configuration overrides to hive-site.xml.
Adding those configurations to: Hive > Configuration > Gateway > Advanced > Hive Client Advanced Configuration Snippet (Safety Valve) for hive-site.xml. Then save and restart both Hive and Hue.  This should allow Hue to pickup the hive-site.xml changes

 

 

11 Comments

  1. Kumar 2 years ago

    Hive in hue takes 2 to 3 minutes to open and once opened doesnt load any databases or tables. what is the error and what logs to check ? Circle keeps rotating at the database location.

    • Hue Team 2 years ago

      This is because of what you said below, in next Hue 3.10 the error message will be more obvious instead of spinning forever.

  2. Kumar 2 years ago

    Follow up (Hive server2 error log for the previous comment)

    org.apache.thrift.server.TThreadPoolServer

    Error occurred during processing of message.
    java.lang.RuntimeException: org.apache.thrift.transport.TTransportException: Unsupported mechanism type PLAIN
    at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:219)
    at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:739)
    at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory$1.run(HadoopThriftAuthBridge.java:736)
    at java.security.AccessController.doPrivileged(Native Method)
    at javax.security.auth.Subject.doAs(Subject.java:360)
    at org.apache.hadoop.security.UserGroupInformation.doAs(UserGroupInformation.java:1651)
    at org.apache.hadoop.hive.thrift.HadoopThriftAuthBridge$Server$TUGIAssumingTransportFactory.getTransport(HadoopThriftAuthBridge.java:736)
    at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:268)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
    Caused by: org.apache.thrift.transport.TTransportException: Unsupported mechanism type PLAIN
    at org.apache.thrift.transport.TSaslTransport.sendAndThrowMessage(TSaslTransport.java:232)
    at org.apache.thrift.transport.TSaslServerTransport.handleSaslStartMessage(TSaslServerTransport.java:138)
    at org.apache.thrift.transport.TSaslTransport.open(TSaslTransport.java:271)
    at org.apache.thrift.transport.TSaslServerTransport.open(TSaslServerTransport.java:41)
    at org.apache.thrift.transport.TSaslServerTransport$Factory.getTransport(TSaslServerTransport.java:216)
    … 10 more

    • Hue Team 2 years ago

      This often means that the local hive-site.xml on the Hue machine is not the same as the hive-site.xml of Hive. Hue does not know which authentication to use then when creating a HiveServer2 session.

  3. Riya 2 years ago

    I am trying to sync Linux users (with PAM authentication) with Hue(version 3.9).
    I tried setting below properties in hue.ini.

    backend=desktop.auth.backend.PamBackend
    pam_service=login

    Then I was not able to login neither as hue or as any other Linux user.
    Please suggest what I am missing here.

    • Hue Team 2 years ago

      Any log/error you get?

  4. priya 2 years ago

    There are no errors. Just says either username or password is incorrect.

    • Hue Team 2 years ago

      Should have more details about the trace of the error in the Hue logs

  5. priya 2 years ago

    Suprisingly there were no relevant logs other than “Authentication failed for user xxxx”

  6. Ajay V Wisawe 7 months ago

    In order to provide better security, it is also now possible to provide a path to a file that contains the password to use (instead of putting it in plain in the hue.ini). If the plain password is not set, the file will be used.

    This faeature errors out
    Traceback (most recent call last):
    File “/opt/mapr/hue/hue-3.9.0/apps/beeswax/src/beeswax/api.py”, line 52, in decorator
    return view_fn(request, *args, **kwargs)
    File “/opt/mapr/hue/hue-3.9.0/apps/beeswax/src/beeswax/api.py”, line 89, in autocomplete
    db = dbms.get(do_as, query_server)
    File “/opt/mapr/hue/hue-3.9.0/apps/beeswax/src/beeswax/server/dbms.py”, line 59, in get
    DBMS_CACHE[user.username][query_server[‘server_name’]] = HiveServer2Dbms(HiveServerClientCompatible(HiveServerClient(query_server, user)), QueryHistory.SERVER_TYPE[1][0])
    File “/opt/mapr/hue/hue-3.9.0/apps/beeswax/src/beeswax/server/hive_server2_lib.py”, line 421, in __init__
    use_sasl, mechanism, kerberos_principal_short_name, impersonation_enabled, ldap_username, ldap_password = self.get_security()
    File “/opt/mapr/hue/hue-3.9.0/apps/beeswax/src/beeswax/server/hive_server2_lib.py”, line 477, in get_security
    ldap_password = get_ldap_password()
    File “/opt/mapr/hue/hue-3.9.0/desktop/core/src/desktop/conf.py”, line 1097, in get_ldap_password
    password = LDAP_PASSWORD_SCRIPT.get()
    File “/opt/mapr/hue/hue-3.9.0/desktop/core/src/desktop/lib/conf.py”, line 142, in get
    return self.config.get_value(data, present=present, prefix=self.prefix, coerce_type=True)
    File “/opt/mapr/hue/hue-3.9.0/desktop/core/src/desktop/lib/conf.py”, line 258, in get_value
    return self._coerce_type(raw_val, prefix)
    File “/opt/mapr/hue/hue-3.9.0/desktop/core/src/desktop/lib/conf.py”, line 278, in _coerce_type
    return self.type(raw)
    File “/opt/mapr/hue/hue-3.9.0/desktop/core/src/desktop/conf.py”, line 60, in coerce_password_from_script
    raise subprocess.CalledProcessError(p.returncode, script)
    CalledProcessError: Command ‘/opt/mapr/hue/hue-3.9.0/desktop/conf/test2’ returned non-zero exit status 126

    • Author
      Hue Team 7 months ago

      Issue was fixed when the command return a proper exit code of 0 I think?

Leave a reply

Your email address will not be published. Required fields are marked *

*